Shellshock - pfSense not vulnerable?
-
(Edited because my OP was uninformed)
My understanding is that FreeBSD never included Bash shell by default and therefore isn't susceptible to the ShellShock bug.
ref: https://news.ycombinator.com/item?id=8365110If you can confirm, deny or add anything - please do.
-
FreeBSD != Linux, friends.
Edited version of internal email from jimp follows.
The base system doesn't include bash, so unless it's being pulled in another way we can't see, pfsense is not affected.
Unless you've loaded one of three packages, there is no bash binary on the system.
The affected packages are:Anyterm: Contains bash in its binaries which are in the git repo(!), not a .pbi or .tgz. We're removing the package entirely from the repo. No archive. It's not worth keeping.
(Gonzopancho adds: Bye bye. I've been bitching internally about packages we didn't compile. Now everyone understands why. We will not distribute packages we don't compile.)
Freeswitch-dev: Runs pkg_add for bash. Unmaintained package. Could probably be safely removed.
FreeRADIUS2: Adds bash via pkg_add using FreeBSD's 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). Commonly used package, though we are unsure if the maintainer is still around. Will be deactivated for 2.0.x but kept for 2.1+. For 2.1 we can either build/host an up-to-date tgz for it to pkg_add to minimize changes to the code in the package or build bash into the .pbi and adjust its paths/code to handle that better. We favor adding it to the PBI so that if it happens in the future we need only build a new PBI as usual.
Overall, not a huge impact.
-
There is some additional info in the main thread for this issue:
https://forum.pfsense.org/index.php?topic=82163.0And also on the blog:
https://blog.pfsense.org/?p=1457And in our security advisory:
https://www.pfsense.org/security/advisories/pfSense-SA-14_18.packages.asc
